Home

Yahoo warns users at least 500 million accounts were hacked

Users who haven't changed their passwords since 2014 are highly encouraged to do so.

Yahoo revealed that at least half a billion of its users were hacked in a 2014 leak.

The breach exposed at least 500 million accounts' names, email addresses, phone numbers, dates of birth and, in some cases, security questions and answers, the company said Thursday.

It's one of the largest-scale attacks at a time when massive hacks have become commonplace.

The internet pioneer said it's "working closely with law enforcement" on the breach, and believe that it was from a "state-sponsored actor," though it did not specify what country.

Yahoo is urging its users who haven't changed their passwords since 2014 to do so.

Verizon, which said in July it would purchase Yahoo for $4.83 billion, said it was notified of the massive breach within the last two days. The telecommunications giant said it had "limited information and understanding of the impact" in a statement.

"We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities," Verizon said.

Yahoo has taken steps to protect its users, including invalidating security questions and answers, but the real risk lies in hackers using the passwords on other websites.

"We typically see a 0.1% to 2% login success rate from credential stuffing attacks, meaning that a cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most websites," said Shuman Ghosemajumder, Google's former click fraud czar and CTO of Shape Security.

Facebook co-founder Mark Zuckerberg's Twitter account was hacked with a similar method after more than 100 million LinkedIn member's passwords were leaked.

Yahoo will have to wait several months before it can start gaining its users' trust back, according to research from Alertsec. The encryption provider did a study that found about 97 percent of Americans lose trust in companies like Yahoo after massive data breaches.

"When a company has allowed their customers' data to fall into the hands of criminals, the resulting lack of trust is difficult to repair," Alertsec CEO Ebba Blitz said in a statement.

On August 1, a hacker named "Peace" claimed to have breached 200 million Yahoo usernames and passwords from a hack in 2012, and offered to sell them on the dark web, after trying to do the same with MySpace and LinkedIn accounts.

When the incident was first revealed, Yahoo said its security team was investigating the hacker's claims. Nearly two months later, the number of accounts affected surged from 200 million to 500 million.

The breach's revelation in August came about a week after Verizon bought Yahoo. CEO Marissa Mayer announced she planned to stay at Yahoo after the acquisition.